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SUMMARY 

Based on test data of parts, components, and subsystems, the 
probability of successfully completing the mission and the probability 
of flight safety were desired for the Project Mercury 3-orbit mission. 
The purpose of this Technical Note is to give the development of a 
mathematical model, data requirements, and other assumptions used 
in the Mercury reliability evaluation. Although the model was devel- 
oped for the evaluation of the Mercury mission, the approach is 
general and can be modified for other space system applications. 




FOREWORD 


The purpose of this Technical Note is to give in some detail the development 
of a mathematical model, data requirements, and other assumptions necessary 
for a reliability evaluation of the Project Mercury 3-orbit mission. It should be 
realized that the numerical results of a study of this type should be viewed and 
interpreted carefully and only within the context of the validity of the model and 
the other assumptions which have to be made. 

It is only to the degree that the analytical model is able to describe the 
operation of a complex system adequately and the extent to which it is possible 
to estimate the reliabilities of systems, subsystems, components and parts of 
an overall system that the results obtained will adequately estimate the relia- 
bility of a mission. 

It should also be borne in mind that the estimates of reliability obtained 
from test data are subject to inherent sampling variation. By this, we mean 
that if a given subsystem were tested in exactly the same manner under the same 
conditions at a different time, different results might have been obtained purely 
by chance. Reliability estimates for different subsystems and components are 
only point estimates of the true unknown reliabilities. In order to obtain some 
measure of the variability of the estimate of reliability of an overall system, it 
is usually necessary to compute a confidence or prediction interval. In the 
Mercury study this has not been possible because the analytical model is too 
complex. It is hoped that this can be accomplished with the aid of electronic 
computing equipment using Monte Carlo techniques in future analyses. Hence, 
numerical outputs of the model described should not be considered as exact 
numbers, but rather as estimates of the general level of the true unknown 
reliability. 

A question that can be rightfully raised is to what extent does flight test in- 
formation prior to a complete flight mission contribute to knowledge about the 
reliability of the system. Such flight test information does contribute additional 
test time for the subsystems and in that manner provides additional reliability 
information. However, relative to the total operating time of a ground test pro- 
gram, this is usually negligible. One may view a successful flight test program 
in the following manner. It represents a "de-bugging" phase for a system and 
shows to what extent a test program prior to the flight test has been realistic in 
duplicating the flight environment and exposing embryonic design weaknesses. 

If a prior flight test program is unsuccessful in several instances, then reliabil- 
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ity estimates that would be obtained using the model and approach as outlined in 
this report can never be accurate since the assumptions used imply that the sys- 
tem is not plagued by problems of embryonic design or quality control failures. 
In interpreting the reliability estimates in the manner developed in the report, it 
should be realized that the estimates are based on the actual test program re- 
sults obtained for the subsystems and components of the overall system. It is 
therefore possible that the reliability of the system is actually higher, but this 
is unknown unless it is so demonstrated. It is in this latter sense that estimates 
of reliability obtained from the type of data inputs for the model described in 
this report can be called "demonstrated estimates" and are therefore not neces- 
sarily the upper bound for the actual unknown reliability for a flight mission. 

The model and methods used are in many ways idealizations of true system 
operation and the approach taken, namely, estimating overall system reliability 
on the basis of information on subsystems, components and parts, has its short- 
comings. However, there exists at present no other means of assessing the re- 
liability of a highly complex system using a rational approach and a quantitative 
basis, than by using an approach, at least similar in concept, to that used for 
the Mercury analysis described in the following pages. 

Although the model was developed for the evaluation of the Project Mercury 
3-orbit mission, the approach is general and can be modified for other space 
system applications. 
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A RELIABILITY MODEL AND ANALYSIS 
FOR PROJECT MERCURY — 3-ORBIT 
MANNED AND UNMANNED MISSION 


by 

William Wolman and Fred Okano 


INTRODUCTION 

The Mercury reliability study was initiated in June of 1960 by the National 
Aeronautics and Space Administration in Washington, D. C. Its purpose was to 
provide overall estimates of reliability for the Mercury capsule and booster sys- 
tem for both the unmanned and manned missions as defined below. In addition, 
it was desired to highlight the areas of unreliability that exist in the system. 

This study was divided into two phases: the unmanned mission and the 
manned mission. The unmanned mission was considered to be that which would 
be required of the Mercury capsule with the assumption that no astronaut was 
aboard but that the life support systems were required to function. The manned 
mission, on the other hand, assumed that the astronaut was aboard the capsule 
and that he could function as required. 

The normal mission is defined as a 3-orbit mission from capsule umbilical 
drop to touchdown, while flight safety is defined as the successful completion of 
the normal mission or of any of the aborts possible at various times of the nor- 
mal mission. An abort is defined as the necessity, due to some failure, to 
terminate the normal mission and bring the capsule to earth prematurely. 

In order to complete this study, a number of assumptions are necessary. 
These assumptions are: 

1. The cut-off date for the system and test data, as used in this study, is 
July 1, 1960. Since that date, additional testing has been performed and there 
have been some changes in the design of the system as well as changes in the 
mission ground rules. 

2. The system considered consists only of the capsule from the period 
of capsule umbilical drop to touchdown and the Atlas booster (including Abort 
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Sensing and Implementation System). The study goes up to time of touchdown 
and does not include any aspect of the recovery operation. For example, the 
equipment necessary in the capsule itself, such as d-c power, which may be 
required in locating the capsule by recovery forces, is assumed to have to 
function only up to time of touchdown. 

3. No failures are due to: 

a. Capsule structure 

b. Abort Sensing and Implementation System 

c. Ground support systems. 

4. All subsystems and equipments are functioning perfectly at time of 
umbilical drop. That is, effective check-out procedures have eliminated all 
malfunctions present in the system and, moreover, no failures occur between 
check-out and umbilical drop. 

5. The test program for all subsystems and components duplicates the 
actual environmental stresses of the mission. It is known that the environmen- 
tal stresses cannot be completely duplicated; however, it has been assumed 
that the reliability of the subsystems is that which has been demonstrated by 
the various test programs. 

6. The mathematical and statistical models used truly describe the mis- 
sion. These models are discussed further in the following section. 

7. If all subsystems function as designed, then the normal mission and 
safety reliabilities will be one. Failures will occur only in the equipments 
which do not function as intended. 

8. Quality control failures are not involved in malfunctions. This means 
that contractor receiving, assembly, and check-out inspections will effectively 
identify all areas of malfunction. The failures that have been included in esti- 
mating the subsystem reliabilities are those that could occur during the mission. 
A failure, for example, which would result from a diode put in backwards should 
be detected during some phase of inspection and would therefore not be included. 
Also, failures that may occur at random are included since they may or may 
not be identified during inspection (whether or not corrective action has later 
been taken). 

9. In those instances where the estimates of subsystems reliability is 
based on very sparse data, the subsystem is assumed to have passed the 


2 



acceptance criteria. Examples of these are the Reaction Control System and 
the Cabin Air Temperature Indicator. 

10. As opposed to hardware, which, once it has failed cannot be repaired, 
the astronaut, if unable to perform at one time, can recover and perform his 
required functions in succeeding time periods. 

11. Aborts from orbit are initiated at the end of orbit. Unless a cata- 
strophic failure occurs, such as rapid oxygen depletion, this will actually be 
the case in order to maximize the probability of recovery after touchdown. 

12. Except for the d-c and a-c Power Supply Systems and the systems 
specifically noted, all major systems listed below, comprising the overall 
Mercury system, are considered to be functionally and stochastically independ- 
ent of each other for purposes of this study. 

a. Booster 

b. d-c Power System 

c. a-c Power System 

d. Environmental Control System 

e. Telemetry 

f. Attitude Control and Stabilization System, including retrograde 
initiation and retro-rocket firing * 

g. Communications System 

h. Capsule Tracking System, including C and S Band Beacons and 
Command Receivers 

i. Tower Ring Separation 

j. Escape Rocket Firing 

k. Capsule Ring Separation 

l. Posigrade Rocket Firing 

m. Periscope Extension 

n. Retrograde Package Jettison 

o. Periscope Retraction 

p. Drogue Chute Deploy 

q. Antenna Fairing Ejection 

r. Main Chute Deploy 

s. Landing Bag Extension. 

13. Both the telemetry and the communications systems are required dur- 
ing the mission. 

^Includes Communications, Telemetry, and Capsule Tracking Systems during 
retrograde initiation and retro-rocket firing. 
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14. The astronaut is not required to orient the capsule during orbit at night 
in case of ASCS failure. However, he is required to perform this maneuver in 
daylight, including retrograde maneuver. 

The times of initiation and completion of the normal unmanned mission, as 
well as the eight aborts, are shown in Fig. 1. The times for the manned 
mission are identical except that the unmanned abort C (tower-separation circuit 
failure) does not exist for the manned mission since the crew override which 
initiates this abort is the same override required to continue the normal mission. 

The "overall" reliability diagram is shown in Fig. 2. The overall diagram 
depicts the systems that must operate, in their relative sequence, in order for 
the mission to continue or for an abort to succeed. The systems have been 
given "link numbers" for identification purposes. For example, link 1 is the 
booster operating from capsule umbilical drop to 8-inch lift-off; link 2 is the 
booster from lift-off to escape tower jettison. The aborts have been identified 
by having upper case letters corresponding to the abort (A through G) follow 
the link number. 

An example of the detail reliability diagram is shown in Fig. 3. Fig. 4 
shows, in simplified form, the same system shown in Fig. 3. The various 
equipment identifications in Fig. 3 have been replaced by capital letters in 
order to facilitate mathematical computation of the system reliability. The 
mathematical representation of the system shown in Fig. 3 and 4 is given in 
Fig. 5. Figure 3-A is an abbreviated detailed diagram of a part of the Attitude 
Control System showing the crew inputs but from which all relays, switches, 
fuses, and other small parts have been omitted. 


ESTIMATION MODELS 

The probability models used in this study are as follows: 

1. For continuous time operating devices it was assumed that the proba- 
bility of a failure in time interval (0, h), assuming no failure at beginning of the 
interval, is given by 


\h + o(h) 
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Fig. 1 TIME SCHEDULE OF NORMAL MISSION AND ABORTS FOR PROJECT MERCURY 
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Fig. 2 OVERALL RELIABILITY DIAGRAM FOR THREE-ORBIT MERCURY MISSION 

(Link numbers are shown in parentheses) 
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EXAMPLE OF DETAIL DIAGRAM (POSIGRADE ROCKET FIRING AT :06) 
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Let Pr *vX r - probability of event X. 
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where 


nn, and h > 0. 

h -* 0 ii 

This implies that the reliability for_t units of time is 

-At 

R(t) = e 

where A = l/<9 , that is, where A is the reciprocal of the mean time to failure 0 . 

2 . For these continuously operating devices the estimated mean time to 
failure is 


e - 


T 

(r+lj 


where 

T = total time accumulated on devices tested 
r = number of failures observed 

'q - an almost unbiased estimate of the true mean time to failure (refer- 
ence 1). 

3. For go-no-go devices it was assumed that the probability of k failures 
observed out of n tested is given by 

/n\ k x n-K 

UJ n <1 ' p> 


where p is the constant probability of a device failing on a single trial. 

4. For the go-no-go devices the estimated constant probability of failure 
is 

a _ number of failures observed 
^ number of devices tested 

where £ is an unbiased estimate of p, the true probability of failure. The 
estimated reliability of the device is obviously then R = 1 - p. 
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The basis for estimating reliability of parts, components, and subsystems 
consists of a summary of tests performed at the contractor's and subcontractor's 
plants, as well as failure reports from the field. The test data included in this 
summary satisfied the following three conditions: 

1. The data must come from testing that duplicates or approximates the 
expected conditions of functioning that will be encountered on the 3-orbit manned 
mission. 

2. The data must come from tests that have been performed for or are be- 
ing applied to the Mercury project. 

3. The data must come from the testing of equipment that is identical or 
similar to the equipment that will be actually used for the capsule of a 3-orbit 
manned mission. 

The test information provided by the contractor represents the following 
types of tests: 

1. Reliability tests 

2. Vendor qualification tests when the type of testing exercises the equip- 
ment in the same manner as will occur on the mission 

3. Pre-installation acceptance tests 

4. Capsule system tests 

5. Special tests, e.g. , compatibility mock-up tests and manned environ- 
mental control system tests. 

A total of 905 discrepancies were accumulated by July 1, 1960. Of this 
total, 107 were considered to be applicable as reliability failures for the 
unmanned and manned mission analyses. The remaining discrepancies were 
excluded for the following reasons: 

1. Failure analysis indicates that the initial failure report or test proce- 
dure was in error. 

2. Failure analysis indicates inspection or workmanship error, or gross 
mishandling. These failures are not due to the operation of the unit and would 
not occur during a mission. 

3. Acceptance criteria were revised or deviated, allowing part to have 
unrestricted usage. 

4. Effective corrective action for the failure has been incorporated. 

5. Effect of failure on presently planned orbital mission is negligible. 

V 6. Failure occurred as a result of exceeding the usable operating life of 
the component. The part in question entered a known wear-out stage that it 
will not be allowed to enter in actual usage. 
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7. Failure occurred during testing under environmental conditions in ex- 
cess of specification requirements. Such failure is attributable to overstressing 
that would not occur in an actual mission. 

8. Discrepancy is a measurable and nonvariable parameter of the particu- 
lar unit. Units which have an unacceptable value will not be installed on manned 
capsules. 

9. Testing was not considered applicable. The failure did not occur during 
one of the tests specified or was not a test of a complete assembly. 

10. Test time was not available. The failure occurred during a test ordi- 
narily considered, but time or cycling data were not available. 

11. Component or part was not required in this study. The unit on which 
the failure has occurred is not essential, or is not required to function any 
time during the mission, or is an obsoleted unit. 

In some instances the estimates of subsystem reliability were based on very 
sparse test data. In other cases the estimates of reliability were based on var- 
ious kinds of test results, such as pre-installation acceptance tests, reliability 
tests, and qualification tests. Occasionally information from only one type of 
test was available. In some cases where information from more than one type 
of test was available, all test results were pooled in order to obtain an estimate 
of reliability. It is apparent from the data that in some cases heterogeneous 
test results have been combined. This could have been avoided by eliminating 
certain results. However, then there is the question of introducing other biases. 
In those cases, namely, where multiple tests are available for a given subsystem, 
one should interpret the estimate of reliability as an average over the various 
types of tests. 


PROBABILISTIC MODEL 

A recent paper by Wolm'an (reference 2) gave a general probabilistic model 
in a set-theoretic framework and was the basis for the Mercury analysis. This 
report will extend reference 2, which gave only the model for the normal mission, 
by including the abort situations. But first, let us summarize reference 2, 
using specific Mercury terminology. 

The Mercury spacecraft is composed of the 19 major systems listed on page 
3. It follows then that the reliability of the Mercury capsule is given by 

Pr(Mercury) = Pr{abc...s} 

= Pr{a}-Pr{b|a}-Pr{c|a.b}...Pr{s|a,b r} (1) 

where the lower case letters represent the major systems listed on page 3, 
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Pr{X,Y, . . . } is the probability of success of systems X, Y, . . . ; and, also, 
Pr{Z|A, B, C, . . ,} is the conditional probability of success of system Z given 
the successful functioning of systems A, B, C, . . . . The reason for expressing 
the Mercury spacecraft reliability as the product of conditional probabilities is 
to take into account possible dependencies among systems. However, the 
amount of computations involved dictated making the assumption of independence 
among systems. The elements common to two or more systems were, in 
general, small parts with high reliabilities such as relay coils. Such small 
parts were counted as separate and independent entities in the systems. 

Because the probability of the need to abort and the ability to abort varies 
during the mission and also because a number of the major systems operate in 
two different modes during the mission, the normal 3-orbit mission was divided 
into the time periods shown in Fig. 1. 

Having the time periods, now let represent the event that system a 
operates successfully from time tp to time t^ for i - 0, 1, ...k a is time 

the need for system a to operate ends, and Pr{Sj} the probability of event Sj). 
Then, since successful operation of the system at time ti implies successful 
operation of that system from time to to time t^ - it follows that 

®i c ^i-1 i ” 1» 2 k a (2) 

where represents the set synonymous with the event discussed above. 
Thus, the reliability of system a through time t-[ is 

PrfSj} = Pr{s i }-Pr{S 2 |s 1 } ... PKsJs^j} 

Pr{s 2 } Pr{s i } (3) 

- Pr{S,} ~ r • • • — 

1 Pr{Sj} Prfe^j} 

One must therefore find Pr{S r } for r = 1, 2, . . . , i. If we let S r * be the set 
synonymous with the event that the system operates successfully from time 
t r - i to t r , then 


s i = Sj* n s 2 * n ... n s i * (4) 

For the Mercury study, these intersections were obtained on electronic com- 
puters. 
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ABORT MODEL 


Carrying the results in reference 2 one step further, we shall now give the 
probabilistic abort model used in the Mercury study. 

Similar to the 3-orbit normal mission, the j'th abort ( j is one of the aborts 
A through G2) is divided into time periods 

0 = t 0 < ti < t 2 < ... < tj.j < t a < tj < ... < t/j (5) 


where x h 


is the time of touchdown for the j’th abort. 


The flight safety reliability is then given by 
Pr{Flight Safety} = Pr{Successful 3-orbit normal mission} 

+ £ Pr{Need to abort and abort successfully} 

(all mutually 

exclusive aborts^ 

= Pr{Successful 3-orbit normal mission} + ^ M a m a m /j} 


- Pr{Successful 3-orbit normal mission) + 2 Pr{M i _ 1 } Pr{M a | M 4 _ j } 


Pr{m a | M i . 1 M a } Pr{m/j 


where 


^i-1 m a^ 


( 6 ) 


_ i is event: 

M„ is event: 

m_ is event: 
a 

m# . is event: 


and the surAmation is over all possible aborts. 


normal mission to time tj _ i 

failure of normal mission some time prior to t a . 
able to abort 

abort successfully through time of touchdown 


The need to abort occurs whenever the normal mission cannot be continued. 
This depends on the mission ground rules determined in advance of the space 
flight, and in the case of the Mercury project, these ground rules were set by 
the Manned Spacecraft Center. 

In Project Mercury, a number of systems possess both a normal and a 
minimum mode of operation. By this, it is meant that a system has a mode of 
operation, designated herein as the normal mode, through the first two orbits 
of the normal three-orbit mission. But, during the last of the three orbits, or 
during the time period at the end of which an abort is planned, the system 
possesses a backup or minimum mode of operation. The normal mode may be 
considered as the case where every subsystem must operate, whereas the 
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minimum mode is the case where only enough subsystems operate so that the 
system operates successfully. As a simple hypothetical example, consider the 
case where the system consists of just two subsystems, A and B. The normal 
mode would require the successful operation of both A and B while the minimum 
mode would require the successful operation of either A or B. Under the mission 
ground rules mentioned above, an abort was deemed necessary when a failure 
occurred in a system such that a switch from a normal mode to a minimum mode 
was required. 

The systems possessing normal and minimum modes are: 

d-c Power Supply 
a-c Power Supply 

Environmental Control System (ECS) 

Attitude Control System. 

Table 1, when filled out, gives the probabilities of mission success and 
flight safety. In column 1 of Table 1, the probability of a normal mission to time 
*i - i, Pr{Mi_i>, is the product of the conditional and unconditional probabili- 
ties of the various systems, as discussed in Eq. (1). The systems considered 
in the calculation of Pr{Mj_ are those that have operated successfully or 
else are operating in their normal modes to tj^ _ 1 . For example, let us 
assume that the spacecraft consists of just three systems and let these systems 
be denoted by A, B, and C. Then 

M i- 1 = < S i-pA * * * S i-l*C 


and 

PrlMi-i) =PH(S i . 1 ) A > • Pr((S 1 . 1 ) B | <S 1 _ 1 ) A } ' Pr{(S i _ 1 ) c \ (Sj.j) B (S^)*} (7) 


where (S^_ a is the event that system a is operating in its normal mode to 
ti - 1 ° r else has successfully completed its function at some time prior to 
ti — 1 - 


The probability of failure of normal mission at some time prior to t 
JPrtM a ) , is, of course, the probability of a normal mission to time t a 
tracted from unity, i. e. , 


a* 

sub- 


Pr{M ft } = 1 - Pr{M a } 


( 8 ) 
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PROBABILITIES OF MISSION SUCCESS AND FLIGHT SAFETY 



17 


unconditional; U-J: unconditional-joint; C: conditional 



















Again, Pr{M a } is the product of the conditional and unconditional probabilities 
of the various systems as discussed in Eq. (1). The systems considered are 
those that have operated successfully or are operating in their normal modes 
to t a . 

The probability of a normal mission to the end of the time period t^ , 

is the product of the conditional and unconditional probabilities of the 
various systems. The systems considered are those that have operated success 
fully or are operating in their normal modes to tj_. 

Since the successful completion of the normal mission through time t a 
implies successful operation through ti - 

M a c Mj.j (9) 

where ^ and M a are sets synonymous with the events discussed above and 

the unconditional probability of an abort being required is 

Pr < M i-i “ a > = PrfMj.j} - Pr{M a } HO) 

The conditional probability of being able to abort, given that an abort is 
required, is 

Pr K | Mj.j i a } = Pr{M i . 1 mj / PrfM^ 

_ Pr < M i-l m a> ~ Pr{M a m a } 

Pr{M i . 1 } - Pr{M a } (11) 

since Pr{AB} =Pr{A> - Pr{AB> and M a o M i _ 1 . 

Let S a represent the event that a system operates successfully from time 
tQ to time t a and Pr{Sa) the probability of event S a . Then, as before, S a c Si - i 
where S a represents the set synonymous with the event S a discussed above. 

Now let s a represent the event that the system operates, because of the 
occurrence of failure(s), in a minimum mode such that an abort is possible but 
the normal mission is discontinued. This means that 

S a c s a (12) 

where again S a and s a represent sets synonymous with the events discussed 
above. That is, the normal mode S a implies the possibility of a successful 
abort. 
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Letting systems B and C in Eq. (7) represent systems having both normal 
and minimum modes, the probability of the event M i _ x m a becomes 

pKMj.j raj = Pr{(S i _ 1 ) A ( S i-i>c 0 <s a*A <S a*B ^a^ 

= Pr{(S a ) A } PrfCS^^B (s a ) B | (S a ) A > 

(s a ) c I (S a ) A (Sj.jIr (s a ) B ) (L 


(S i-l)A (s a } A " (S i-l ) A (S a ) A (S a } A 


Also, since 

Pr{M a m a } = Pr{M a > 

we have 

Pr{M a ) = Pr{(S a ) A } Pr{(S a ) B | (S a ) A > Pr{(S a ) c | (S a ) A (S a ) B > (14) 

The intersections {Si-i)a (s a )a and their probabilities were obtained with the 
aid of electronic computers. 

Since conditional probabilities obey the same general rules as unconditional 
probabilities, the conditional probability of being unable to abort, given the 
need to abort, is 

Pr{m a | M 1 . 1 M a ) = 1 - Pr{m a | M ft > (15) 

and the unconditional probability of this event is 

Pr{M i . 1 M a m a } = Pr | P^M^ M ft } ( 1R) 


The conditional probability of successfully completing an abort, given that 
an abort is required and that we are able to abort, is 

Pr{m^ | M a m a } = pHMj.j M a ra a m/ } / PHM^! M a m a > (17) 

j ^ 

In Project Mercury, the modes of operation, for the systems having both 
normal and minimum modes, are the same for both the ability to initiate and to 

complete the abort. Thus, 
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and so Eq. (17) becomes 


_ Pr ( M i_l nij.} - Pr(M m£ } 

Pr ^/. I M i-i M a m a^ = 7 1 ~ 

J Pr{Mi_i m a ) - PrlVj,} 


(19) 


The unconditional (joint) probability of successfully completing an abort 


is 


Pr{M ; . M 


-1 M a m a ra i^ Pr(m^ | M._j M & mj - PrfM.^ mj (20) 

The conditional probability of failing to complete an abort, given that an 
abort is required and that we are able to, is 

Pl %j I "i-1 M a tn a > = 1 - prfa/j I Mj.j M ft mj (21) 


and the unconditional (joint) probability of this event is 

Pr ^ M i-l m a = Pr{m 4 j I M i-l”a 

Pr ( M l-l «a m a> 


( 22 ) 


ASTRONAUT PERFORMANCE EVALUATION 

As for the probability that the astronaut will perform the proper overrides 
at the proper times, a team of five individuals, professionally qualified to 
assess man's performance capabilities, was formed to estimate them. These 
estimates were augmented, wherever possible, by experimental data gathered 
at the Aviation Medical Acceleration Laboratory of the Naval Air Development 
Center at Johnsville, Pennsylvania. Crew performance in high-performance 
airplanes was also taken into consideration. 

A description of each manned override with its attendant failure indications 
and corrective action required was listed. Environmental conditions, astronaut 
performance information, and systems description during the overrides were 
also obtained. These were then evaluated by the individual panel members who 
made independent estimates of the astronaut's performance. The average of 
the five estimates for each override was then computed. 
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Because the ability of the astronaut to perform his overrides depends on 
whether his space suit is overpressurized or not, two sets of estimates were 
made. One set was the estimates based on the assumption that the astronaut’s 
suit was properly pressurized, and the other, on the assumption that it was 
overpre s su riz e d . 

As mentioned in assumption 14, page 4, the astronaut is not required to 
orient the Mercury capsule while in the earth's shadow. Therefore, the esti- 
mates for this maneuver, while out of the sun's light, were not used in this 
study. However, the panel considered these overrides to be much more difficult 
at night than in the daylight. 

Having the two sets of averaged estimates (one for a normally pressurized 
suit and one for an overpressurized suit), the probabilities of having an over- 
pressurized or a normally pressurized suit were then calculated. These 
served as weights to the two averages for each override, and an estimated 
probability for the astronaut's ability was then computed. 

The method used will now be given. First, a list was made of causes that 
would result in an overpressurized suit. Then the probabilities of their failing 
were computed. Listed below are the items whose failures would result in an 
overpressurized suit: 

Excessive cabin leakage 

Cabin pressure control valve 

Suit pressure relief valve 

Suit pressure regulator relief valve. 

It is obvious that an overpressurized suit .can be deflated by the astronaut's 
opening his face plate. However, under the mission ground rules, the astronaut 
cannot open his face plate unless the cabin has not leaked excessively and both 
of the following have failed: 

Suit pressure relief valve 

Suit pressure regulator relief valve. 

Test data showed that the reliability of the suit pressure regulator relief valve 
is unity, and, hence, the need for the astronaut to open his face plate is obviated. 
However, let us develop the general formula for the percentage of time the 
astronaut will have an overpressurized suit. 
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Since the items whose failures would result in an overpressurized suit are 
all found in the Environmental Control System (ECS), we may set 

Pr{ECS} = Pr{ECS n (HUS) (1 (OpUCl)} (23) 


where ECS is the event that the ECS is working properly or else the set is 
synonymous with the event; H is the set synonymous with the event that the suit 
is overpressurized or "hard"; S is the set synonymous with the event that the 
suit is normally pressurized or "soft"; Op is the set synonymous with the event 
that the face plate is open; and Cl is the set synonymous with the event that the 
face plate is closed. The assumptions we have made in (23) are that HuS = © 
and that OpUCl =<S where © is the whole space. That is, the suit is either 
hard or soft (and not partially overinflated) and the face plate is either opened 
or closed. By expansion, (23) becomes 

Pr{ECS> = Pr{ (ECS D H D Op) U (ECS D H fl Cl) U (ECS H S 0 Op) (J (ECS D S ff Cl)} 

= Pr{ECS 0 H 0 Op} + Pr (ECS (1 H 0 Cl} + PrfECS D S fl 0p}+ PrfECS fl S 0 Cl} 

, . (24) 

since the four events are mutually exclusive. However, the probability of the 

first of these four events, viz, H • Op is zero. Therefore, the conditional 
probability that the suit is overpressurized, given that the ECS is working, 
is 

PrfEcs nun Cl} / pi-{ecs} (2 5 > 

The estimate of the astronaut's ability to perform an override is thus 
n _r„ _ Pr (ECS 0 h 0 ci} r . _ 

Pr{Crew} Pr { ECS} x ^ ve * ^st. for hard suit} 

Pr{ECS n s n op} + Pr{ECs n s n ci} 

PrfECS} ” ' 

x (Ave. est. for soft suit} (2t>) 

The term "Average estimate for hard suit" is the average of the estimates of the 
astronaut s ability to perform this override while in an overpressurized or 
"hard" suit. The term "Average estimate for soft suit" is the average of the 
estimates of the astronaut's ability to perform this override while he is in a 
properly inflated or "soft" suit. 


TWO TYPES OF CREW ACTION 

In accordance with assumption 10, page 3, hardware working at time t^ 
implies that it has worked at ti - i and hence 
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( 27 ) 


where E x is the set synonymous with the event that equipment E has worked 
from t to t . However, for the astronaut, the fact that he is able to perform 
his dutPes at X t. does not necessarily imply that he was able to do so at tj _ ^ . 
Hence, the electronic computer program had to recognize this. Moreover, the 
computer was required to recognize the fact that two types of crew actions were 
required: (1) the one-time action whereby the astronaut performed an action 

just once, such as throwing a switch; and (2) the continuing type of action where 
the astronaut continued his action for a length of time, e.g. , orienting the 
capsule during orbit. 

As an example, let us consider the following simple system: 



The above figure shows that subsystem A is the automatic mode and that if A 
fails, then the astronaut performs his override, C, which activates subsystem 
B. For the 3-orbit Mercury mission, the subsystems are turned on at all times 
although the output from some of the subsystems may be zero. This may be 
likened to having a radio set turned on but at zero volume. Now, if the above 
system were to operate over two time periods, denoted by ti and t 2 , then the 
probability of the system operating at t 2 is 

Pr{S 2 } = Pr{(AjU Aj Bj Cj) h (A 2 U A 2 B 2 C 2 )} 

= Pr{Aj A 2 U Aj A 2 B 2 C 2 U Aj A 2 B t Cj U Aj A 2 Bj B 2 Cj C 2 ) (28) 

In (28), the third term in the right side bracket, viz, A^ A 2 B j C j, is the 
null set since, by assumption, a piece of hardware cannot recover or be re- 
paired, and, hence, the set A ^2 is obviously empty. For equipments A 
and B, 

A 0 c and B 2 c B ^ 


Hence, (28) becomes 

Pr{S 2 > = Pr{A 2 U Aj A 2 B 2 C 2 U Aj B 2 Cj C 2 > 

= Pr{A 2 } + Pr{Aj A 2 B 2 C 2 > + Pr{Aj B 2 Cj C 2 ) 
as the sets are mutually exclusive. 
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Now, if the crew action, C, is a one-time action 


Pr{Cj c 2 } = Pr{Cj} ( 30 ) 

since the single action need not be repeated during the second time period. 
However, if C is a continuous action, 

Pr{C j c 2 } = PriCj} • Pr{c 2 } (31) 
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